11 April,19 at 11:50 AM
Let's get started.
Here's what you will need.
1 - A Deployment of Centrify Privilege Service (CPS) On Premise or via our SaaS offering.
2 - A Login account with at a minimum a role with administrative rights for Report Management.
3 - Permissions to view all accounts and systems in CPS.
4 - 30 minutes or less
Setup
First let's go through some setup steps, this assumes you already have an instance of CPS available to you.
Login as a user with System Administrator privileges. Go to Admin Portal --> Roles and then click the "Add Role" button. Name the role "CPS Administrator" for example. Then go to Administrative Rights and click the "Add" button to add the "Report Management" administrative right.
Next Go to Members and specify the user that you would like to have this Role. Make sure and click the "Save" button.
After setting up the role, we will assign permissisons to the role in CPS. In my example today, I am going to grant my role access to view all systems and accounts so that they can report on all systems and acccounts in CPS, however, you can make more granular grants of permissions if you'd like.
So, while still logged in as a user with the role of System Administrator, please go to the Settings for the Privilege Service or Infrastructure and choose Account Permissions. Click the "Add" button and choose your new role CPS Audit Reporting. Make sure the View box is checked. Click the "Save" button.
After this, go to the Systems Permissions and again click the "Add" button and then select the new role "CPS Audit Reporting" and make sure and click the "View" box and click the "Save" button.
Report Creation
Now that all the basics have been setup. Let's go do the actual reporting. In Admin Portal choose "Reports". Then go to My Reports and click the "New Report" button. Specify the name as "Account Status" then select Script Editor and add this line -
SELECT Server.Name as 'Name', Server.FQDN as 'DNS Name/IP Address', VaultAccount.User as 'Account', VaultAccount.Healthy as 'Status', VaultAccount.DueBack as 'due date', VaultAccount.PasswordResetLastError as 'Error', VaultAccount.ID as _AccountID, VaultAccount.MissingPassword as _MissingPassword, VaultAccount.Host as _AccountHost, VaultAccount.User as _AccountUser FROM VaultAccount JOIN Server ON VaultAccount.Host = Server.ID AND VaultAccount.Host IS NOT NULL ORDER BY Server.Name
As always - click the "Save" button.
Go back into script editor by selecting the report and then choosing modify from the actions pull down menu.
Look to the far right and note the data dictionary, here is how you can pick additional attributes for your report.
Finally let's run the report. Go to Admin Portal--> Reports--> My Reports and select your new "Account Status" report just by clicking on it, the report will execute and you can view it in your browser. If you would like to export it or email it those are options from the Actions pull down menu.
In summary, we have setup an Audit User with a role that can view the resources and accounts, as well as run reports. Then we created a custom report for Local Account Status and also showed how reports may be modified using the data dictionary. Finally we ran the report.